1. Technical Field
The invention relates generally to user authentication technique in a networked system. More particularly, the invention relates to a system and collection of methods for optimizing the user-experienced availability and responsiveness of a replicated authentication system via the use of client-side authentication routing logic.
2. Description of the Prior Art
As the world has been more networked over the Internet, consumers perform more and more transactions via the World Wide Web. Almost all Web sites providing useful contents or services requires user authentication, which is a process to ensure that a user is who he claims to be. In private and public computer networks including the Internet, authentication is commonly carried out through the use of logon passwords. When the user registers with a network, he declares or is assigned a unique password. On each subsequent use, the user must know and use the password to access the network. The user's knowledge of the password is assumed to guarantee that he is authentic.
When user authentication is required, a Web server redirects the user to a logon page. A logon usually requires that the user have a user ID and a password. Often, the user ID must conform to a limited length such as eight characters and the password must contain, for example at least one digit, and not match a natural language word. The user ID can be freely known and is visible when entered at a keyboard or other input device. The password must be kept secret and is not displayed as it is entered.
In the logon process, the user enters his user ID and password. The authentication server compares the user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.
There are two major concerns regarding to an authentication service. The first one is security and the second one is availability. In the security concern, the authentication service should provide trustworthy authentication results and be hard for invaders to break through. While in the availability concern, the authentication service should remain available in a pre-determined time frame, which often requires 24×7 coverage.
The security concern has drawn most of the attention and a great number of techniques have been devoted to this area. Cryptography has been introduced to encrypt the users' secret passwords to prevent steal of passwords by unauthorized person. Even in the case that the authentication server is invaded, the invader can only get the encrypted passwords and it is often hard if not impossible to retrieve the user's secret password. For example, Matyas et al. in U.S. Pat. No. 4,218,738 disclosed a secure hardware for cryptographically generating a verification pattern which is a function of a potential computer user's identity number, the potential computer user's separately entered password, and a stored test pattern. The secure hardware was also provided for generating verification patterns during authentication processing and for generating test patterns during the secure run. The secure hardware used a variation of the host computer master key to reduce risk of compromising of total system security.
To meet the availability concern, one authentication server is often replicated one or more times, so that a pool of authentication servers can all provide the authentication service. Unless all authentication servers of the pool are all unavailable at the same time, the authentication service is always available. Although the replication approach provides the necessary availability coverage, it also introduces issues like data propagation because user authentication information needs to be propagated accurately and rapidly among participating authentication servers. In addition, the security of the whole authentication system becomes lower as authentication servers increase in number and become more distributed. In the article entitled “Increasing Availability and Security of an Authentication Service” published on Jun. 9, 1993, Li Gong proposed a general solution by replicating the authentication server in such a way that multiple servers share the responsibility of providing the authentication service and a minority of compromised servers cannot compromise the service through malicious behavior and collusion. An authentication protocol is developed using secret-sharing techniques and a cross-checksum scheme so that a set of servers provide a distributed authentication service while each server providing only a fraction of the authentication. The protocol has a configurable threshold number which can explore the trade-off between availability and security when adjusted.
In the situation where a pool of authentication servers is used, an efficient technique for routing the authentication request to the available ones among the replicated authentication servers becomes significant. For example, in order to provide higher available authentication server, a secondary authentication server is often needed to back up a first authentication server, which is also referred to the primary authentication server. The secondary authentication server is used when the primary authentication server is temporarily unavailable.
It is often desired to minimize the probability that a Web user authentication request is submitted to a temporarily unavailable or slow-to-respond primary authentication server, such that a secondary authentication server can be maximally leveraged for higher overall Web authentication service availability. Additionally, it is desired in this situation to avoid submitting any Web authentication requests to the primary authentication server when it is unavailable or slow-to-respond, because this will cause a bad user experience such as the user receiving an error page after the request to the primary authentication server times out.
One typical approach to solving this availability problem is to employ an authentication routing server in front of the primary and secondary authentication servers. User authentication requests are submitted to this routing server instead of directly to the primary or secondary authentication server, and the routing server forwards the request on to the primary authentication server or the secondary authentication server depending on the current value of an availability flag that the routing server maintains. The routing server periodically checks the availability of the primary authentication server at some predetermined frequency, say once per minute, and updates the availability flag when the primary server goes from available to not-available and vice-versa. When the availability flag indicates primary authentication server is available, authentication requests are submitted to primary authentication server, otherwise authentication requests are submitted to the secondary authentication server.
There are several shortcomings with this approach. For example, the availability of the primary authentication server may be partial and thus dependent on the particular user being authenticated, hence a single availability flag is too coarse. Secondly and most importantly, the routing server itself becomes a single point of failure in this architecture, since all user authentication requests go through it before getting to the primary or secondary authentication servers.
What is desired is a technique for enabling dynamic client-side authentication routing such that secondary, tertiary, etc. replicated authentication servers can be maximally leveraged to optimize the user-experienced availability and responsiveness of the authentication system.